Browse Source

Randomize link-order of libcrypto as we do with libc. This library

has many small functions without significant local storage, therefore
less tail protection from -fstack-protector-strong to prevent their use
as ROP gadgets.  It is used in security contexts.  Also many functions
dribble pointers onto the stack, allowing discovery of gadgets via the
fixed relative addresses, so let's randomly bias those.
ok tedu jsing
The rc script will soon need a strategy for skipping this step on
machines with poor IO performance.  Or maybe do it less often?  However,
I don't see many more libraries we'll do this with, these are the two
most important ones.
OPENBSD_6_2
deraadt 7 years ago
parent
commit
64e2dc97c4
1 changed files with 2 additions and 2 deletions
  1. +2
    -2
      src/etc/rc

+ 2
- 2
src/etc/rc View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.495 2017/05/01 14:01:47 rpe Exp $
# $OpenBSD: rc,v 1.496 2017/05/29 09:44:01 deraadt Exp $
# System startup script run by init on autoboot or after single-user. # System startup script run by init on autoboot or after single-user.
# Output and error are redirected to console by init, and the console is the # Output and error are redirected to console by init, and the console is the
@ -168,7 +168,7 @@ reorder_libs() {
echo -n 'reordering libraries:' echo -n 'reordering libraries:'
# Only choose the latest version of the libraries. # Only choose the latest version of the libraries.
for _liba in /usr/lib/libc.so.*.a; do
for _liba in /usr/lib/libc.so.*.a /usr/lib/libcrypto.so.*.a; do
_liba=$(ls ${_liba%%.[0-9]*}*.a | sort -V | tail -1) _liba=$(ls ${_liba%%.[0-9]*}*.a | sort -V | tail -1)
for _l in $_libas; do for _l in $_libas; do
[[ $_l == $_liba ]] && continue 2 [[ $_l == $_liba ]] && continue 2


Loading…
Cancel
Save